History

4-16-2018 – Assessment completed

Impact

Customer deployments of SAS® are not vulnerable to CVE-2018-1270 or CVE-2018-1275.

Description

Spring Framework (versions 5.0.x to 5.0.5; 4.3.x to 4.3.16; and older, unsupported versions) enables applications to expose the STOMP protocol over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code-execution attack.

Solution

No SAS software exposes the STOMP protocol over WebSocket endpoints. Therefore, SAS is not vulnerable to this issue, and no customer action is required to fix this vulnerability.